Results 1 to 5 of 5

Thread: Zimbra hacked =(

  1. #1
    Join Date
    Sep 2007
    Location
    Stockport
    Posts
    106
    Rep Power
    8

    Question Zimbra hacked =(

    Hi there, we have been hacked. I wonder if anyone could help get to the bottom of it. Mails have been sent out from addresses that do not exist within zimbra. (ra@ourdomain, co@ourdomainde@ourdomain ,ki@ourdomain ,lu@ourdomain , by@ourdomain, cy@ourdomain) I have no idea how they have been sent.. the only reason i knew there was a problem at first was a number of users reported they had bounce messages for things they had not sent. It turns out they were members of a list (NUT@our domain). the sever has had its network cable unplugged but, i can still see things that are being added to the queue.

    Can I make it so zimbra will only send mail when a user has Authenticated and has a valid address? What is the best way to diagnose if there is a virus or if there is an account
    compromised?

    Using IMAP over ssl. Can a user send mail without authenticating?

    I have looked through log file after log file but am lost as to making anything tally..

    Please help. We are a high school that starts term on monday -(

    Thanks in advance

    Andy

  2. #2
    Join Date
    Jan 2013
    Posts
    24
    Rep Power
    2

    Default

    Most likely an account has been compromised, and they are using that account to relay spam through your server.

    Run this command as root:

    tail -n 100000 /var/log/mail.log | grep "sasl_username=" > smtpauthlogins.txt

    Then view smtpauthlogins.txt, and change the password for the account you see using SASL authentication over and over. I had the same issue yesterday, and this cleared it right up.

    If nothing else, it is worth a shot.

    Best of luck!

  3. #3
    Join Date
    May 2007
    Location
    Indonesia
    Posts
    149
    Rep Power
    8

    Default

    Hi,
    Quote Originally Posted by krolen View Post
    Hi there, we have been hacked.

    ...

    Can I make it so zimbra will only send mail when a user has Authenticated and has a valid address?

    Andy
    Try this : http://www.zimbra.com/forums/adminis...tml#post250465
    Best Regards
    ---
    Masim "Vavai" Sugianto
    Zimbra Tutorial
    Personal Blog [ID]

    Release 8.0.6_GA_5922.SLES11_64_20131203103702 SLES11_64 FOSS edition.

  4. #4
    Join Date
    Sep 2007
    Location
    Stockport
    Posts
    106
    Rep Power
    8

    Default

    Sorry for the slow reply, the server is offline so im not getting notifications.. must change my address on here.. thanks for the info. Very helpful. one account came up quite a lot. I will change its password. Im going to enforce password complexity for the whole domain I think..

    thanks again.

  5. #5
    Join Date
    Sep 2007
    Location
    Stockport
    Posts
    106
    Rep Power
    8

    Default

    Thanks, will have a look

Similar Threads

  1. Replies: 1
    Last Post: 03-18-2013, 12:04 PM
  2. Getting very hacked off with Zimbra
    By Guest in forum Administrators
    Replies: 15
    Last Post: 10-04-2011, 07:33 PM
  3. Zimbra got hacked?
    By cocas in forum Administrators
    Replies: 4
    Last Post: 11-23-2010, 02:08 PM
  4. zimbra mail hacked
    By extremal in forum Administrators
    Replies: 29
    Last Post: 01-15-2009, 07:46 AM
  5. Zimbra server got hacked, security?
    By violentpurr in forum Administrators
    Replies: 5
    Last Post: 03-28-2008, 01:04 AM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •